There were two vulnerabilities found in Fujifilm computed radiography cassette readers. An attacker could exploit these vulnerabilities and access the operating system, implement arbitrary code, make the devices inoperable, change functionality, and bring about loss of images.
The following Fujifilm computed radiography cassette readers have been found with the vulnerabilities:
- CR-IR 357 FCR XC-2
- CR-IR 357 FCR Capsula X
- CR-IR 357 FCR Carbon X
CVE-2019-10950 is a really serious vulnerability that is caused by poor telnet services access controls. An attacker having a rather low skill level could remotely exploit the vulnerability and access the operating system and implement code and change the device functionality. The vulnerability got a CVSS v3 base rating of 9.8 of 10.
CVE-2019-10948 is the second vulnerability that is caused by uncontrolled resource usage. An overflow of TCP packets may be triggered during a denial of service (DoS) attack. An attacker that exploits this vulnerability during a DoS attack can make the device inoperable. A reboot is necessary to reestablish functionality. The vulnerability got a CVSS v3 base rating of 7.5.
Marc Ruef and Rocco Gagliardi of Scip AG were responsible for identifying the vulnerabilities.
To avoid the exploitation of vulnerabilities, users could set up the CR-IR-357 system using ‘Secure Host functionality.’ This setting directs the CR-IR-357 system to disregard network traffic that is not from the IP address specified in the image acquisition console.
This control is only an option for those who use one image acquisition console with the CR-IR-357 Reader Unit. By activating this configuration, multiple image acquisition consoles are unable to share the Reader Unit since network traffic will just be allowed from one IP address. In case Reader Unit sharing is activated, Fujifilm must be called for additional details on other doable mitigations.
Users must also make sure that proper implementation of administrative and technical controls to stop unauthorized network connection of devices and users. Fujifilm furthermore advises segmenting the network or utilizing a VLAN to distinguish public traffic from the private network traffic.